Configure Centralized Control Policy

Configure Centralized Control Policy

Configure Centralized Control Policy

When Centralized Control Policy is configured on vSmart Controller, it affects the routing policy based on information present in OMP routes and TLOC of OMP. A policy is configured to match the routes and TLOC and then take action based on matches like redirecting packets via Network Services (FW, LB).

When we have multiple vSmart Controller, than all controllers must have same Centralized policy for network to remain stable.

This Policy contains a series of ordered number sequence matching –action which are evaluated in order and when a route or TLOC matches its associated actions are executed on that packet. If anything not matched then packet is by default rejected and discarded.

CLI Configuration Procedure:

Create Site List to which this Centralized control policy is to be applied.

vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id

Create list of IP Prefixes, TLOC and VPN as required.

vSmart(config)# policy lists
vSmart(config-lists)# prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length
vSmart(config)# policy lists
vSmart(config-lists)# tloc-list list-name
vSmart(config-lists-list-name)# tloc address color color encap encapsulation [preference value]
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id

Create a control policy instance:

vSmart(config)# policy control-policy policy-name

Create a series of match–action pair sequences:

vSmart(config-control-policy-policy-name)# sequence number

Define match parameters for routes and for TLOCs:

vSmart(config-sequence-number)# match route route-parameter
vSmart(config-sequence-number)# match tloc tloc-parameter

Define actions to take when a match occurs:

vSmart(config-sequence-number)# action reject
vSmart(config-sequence-number)# action accept export-to (vpn vpn-id | vpn-list listname)
vSmart(config-sequence-number)# action accept set omp-tag number
vSmart(config-sequence-number)# action accept set preference value
vSmart(config-sequence-number)# action accept set service service-name (tloc ip-address| tloc-list list-name) [vpn vpn-id]
vSmart(config-sequence-number)# action accept set tloc ip-address color color [encapencapsulation]
vSmart(config-sequence-number)# action accept set tloc-action action
vSmart(config-sequence-number)# action accept set tloc-list list-name

If no match is found in any of the sequences, it will be rejected, and if for non-matching traffic you want acceptance, you need to configure default action policy.

vSmart(config-policy-name)# default-action accept

Apply the policy to one or more sites in the Viptela overlay network:

vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)

If the action you are configuring is a service, configure the required services on the vEdge routers so that the vSmart controller knows how to reach the services:

vEdge(config)# vpn vpn-id service service-name address ip-address


Prefixes can be used as given below:

  • Prefix/length— Exactly match a single prefix–length pair.
  • 0.0.0/0—Match any prefix–length pair.
  • 0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip prefix le 24 matches all IP prefixes with lengths from /1 through /24.
  • 0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix ge 27 matches all IP prefixes with lengths from /27 through /32.
  • 0.0.0/0 ge length1 le length2, or le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes.


Each TLOC is specified by 3 tuple like its address, color, Encapsulation, in which address is its system address, color is WAN link color and encapsulation is gre or ipsec.


    You are will be the first.


Please login here to comment.